Page 1 of 2 12 LastLast
Results 1 to 10 of 15

Thread: Social Engineering: Part I

  1. #1

    Social Engineering: Part I

    A few of you seem to have mistaken the definition of social engineering and some of you just missed the entire concept.
    Well, this article from Security Focus is for you. Hopefuly this will help you with your understanding of social engineering. You can view the full article from here.

    Definitions
    ...Security is all about trust. Trust in protection and authenticity. Generally agreed upon as the weakest link in the security chain, the natural human willingness to accept someone at his or her word leaves many of us vulnerable to attack. Many experienced security experts emphasize this fact. No matter how many articles are published about network holes, patches, and firewalls, we can only reduce the threat so much... and then it’s up to Maggie in accounting or her friend, Will, dialing in from a remote site, to keep the corporate network secured.

    Target and Attack
    The basic goals of social engineering are the same as hacking in general: to gain unauthorized access to systems or information in order to commit fraud, network intrusion, industrial espionage, identity theft, or simply to disrupt the system or network. Typical targets include telephone companies and answering services, big-name corporations and financial institutions, military and government agencies, and hospitals. The Internet boom had its share of industrial engineering attacks in start-ups as well, but attacks generally focus on larger entities.

    Finding good, real-life examples of social engineering attacks is difficult. Target organizations either do not want to admit that they have been victimized (after all, to admit a fundamental security breach is not only embarrassing, it may damaging to the organization’s reputation) and/or the attack was not well documented so that nobody is really sure whether there was a social engineering attack or not.

    As for why organizations are targeted through social engineering – well, it’s often an easier way to gain illicit access than are many forms of technical hacking. Even for technical people, it’s often much simpler to just pick up the phone and ask someone for his password. And most often, that’s just what a hacker will do.

    Social engineering attacks take place on two levels: the physical and the psychological. First, we'll focus on the physical setting for these attacks: the workplace, the phone, your trash, and even on-line. In the workplace, the hacker can simply walk in the door, like in the movies, and pretend to be a maintenance worker or consultant who has access to the organization. Then the intruder struts through the office until he or she finds a few passwords lying around and emerges from the building with ample information to exploit the network from home later that night. Another technique to gain authentication information is to just stand there and watch an oblivious employee type in his password.

    Social Engineering by Phone
    The most prevalent type of social engineering attack is conducted by phone. A hacker will call up and imitate someone in a position of authority or relevance and gradually pull information out of the user. Help desks are particularly prone to this type of attack. Hackers are able to pretend they are calling from inside the corporation by playing tricks on the PBX or the company operator, so caller-ID is not always the best defense...
    Example:
    They’ll call you in the middle of the night: "Have you been calling Egypt for the last six hours?" "No." And they’ll say, ‘well, we have a call that’s actually active right now, it’s on your calling card and it’s to Egypt and as a matter of fact, you’ve got about $2,000 worth of charges from somebody using your card. You’re responsible for the $2,000, you have to pay that...’ They’ll say, ‘I’m putting my job on the line by getting rid of this $2,000 charge for you. But you need to read off that AT&T card number and PIN and then I’ll get rid of the charge for you.’ People fall for it.” -Computer Security Institute Help desks are particularly vulnerable because they are in place specifically to help, a fact that may be exploited by people who are trying to gain illicit information. Help desk employees are trained to be friendly and give out information, so this is a gold mine for social engineering. Most help desk employees are minimally educated in the area of security and get paid peanuts, so they tend to just answer questions and go on to the next phone call. This can create a huge security hole.

    Dumpster Diving
    Dumpster diving, also known as trashing, is another popular method of social engineering. A huge amount of information can be collected through company dumpsters. The LAN Times listed the following items as potential security leaks in our trash: “company phone books, organizational charts, memos, company policy manuals, calendars of meetings, events and vacations, system manuals, printouts of sensitive data or login names and passwords, printouts of source code, disks and tapes, company letterhead and memo forms, and outdated hardware.”

    These sources can provide a rich vein of information for the hacker. Phone books can give the hackers names and numbers of people to target and impersonate. Organizational charts contain information about people who are in positions of authority within the organization. Memos provide small tidbits of useful information for creating authenticity. Policy manuals show hackers how secure (or insecure) the company really is. Calendars are great – they may tell attackers which employees are out of town at a particular time. System manuals, sensitive data, and other sources of technical information may give hackers the exact keys they need to unlock the network. Finally, outdated hardware, particularly hard drives, can be restored to provide all sorts of useful information.

    On-Line Social Engineering
    The Internet is fertile ground for social engineers looking to harvest passwords. The primary weakness is that many users often repeat the use of one simple password on every account: Yahoo, Travelocity, Gap.com, whatever. So once the hacker has one password, he or she can probably get into multiple accounts. One way in which hackers have been known to obtain this kind of password is through an on-line form: they can send out some sort of sweepstakes information and ask the user to put in a name (including e-mail address – that way, she might even get that person’s corporate account password as well) and password. These forms can be sent by e-mail or through US Mail. US Mail provides a better appearance that the sweepstakes might be a legitimate enterprise.

    Another way hackers may obtain information on-line is by pretending to be the network administrator, sending e-mail through the network and asking for a user’s password. This type of social engineering attack doesn’t generally work, because users are generally more aware of hackers when online, but it is something of which to take note. Furthermore, pop-up windows can be installed by hackers to look like part of the network and request that the user reenter his username and password to fix some sort of problem. At this point in time, most users should know not to send passwords in clear text (if at all), but it never hurts to have an occasional reminder of this simple security measure from the System Administrator. Even better, sys admins might want to warn their users against disclosing their passwords in any fashion other than a face-to-face conversation with a staff member who is known to be authorized and trusted.

    Persuasion
    The hackers themselves teach social engineering from a psychological point-of-view, emphasizing how to create the perfect psychological environment for the attack. Basic methods of persuasion include: impersonation, ingratiation, conformity, diffusion of responsibility, and plain old friendliness. Regardless of the method used, the main objective is to convince the person disclosing the information that the social engineer is in fact a person that they can trust with that sensitive information. The other important key is to never ask for too much information at a time, but to ask for a little from each person in order to maintain the appearance of a comfortable relationship.

    Reverse Social Engineering
    A final, more advanced method of gaining illicit information is known as “reverse social engineering”. This is when the hacker creates a persona that appears to be in a position of authority so that employees will ask him for information, rather than the other way around. If researched, planned and executed well, reverse social engineering attacks may offer the hacker an even better chance of obtaining valuable data from the employees; however, this requires a great deal of preparation, research, and pre-hacking to pull off.

    Hopefuly this will help you with your understanding of social engineering..

    Remote_Access_

  2. #2
    Senior Member
    Join Date
    Aug 2001
    Posts
    356
    I still stick to my theory that social engineering is a fancy term for lying. And I still don't consider lying a form of hacking, it's a form of manipulation.

    That's my opinion though. Thanks for the definition post.

    I'd rather read this than that annoying "Longest Thread in The World" thread. I wish that thing would go away,
    ----------------------

    Note: I have received a lot of anti-points for saying that Social Engineering is a form of lying. I would really like to hear someone's theory on how it isn't a form of lying. When you are telling someone you are someone that you aren't THAT IS LYING. When you are tricking them into giving you information by telling them you are someone else, that is MANIPULATION. Social Engineering can be involved in hacking, however it IS NOT hacking. Social Engineering has absolutely NOTHING to do with computers. You can pretend to be someone else without knowing how to turn a computer on. It seems like people have such a broad definition of the word hacker, that the ability to pretend to be someone else now seems to make you a hacker? What form of hacking is that? Self Identity Hacking? And I guess all those people that assign anti-points and sign other people's names aren't lying, they are SOCIAL ENGINEERING. Its people like that, that give hackers a bad name. Please from now on if you don't agree with a post and are going to assign anti-points at least post a reply in the thread explaining your theory. Or maybe your theory won't hold water?
    An Ounce of Prevention is Worth a Pound of Cure...
     

  3. #3
    "Note: I have received a lot of anti-points for saying that Social Engineering is a form of lying."
    - 'grats.

    "I would really like to hear someone's theory on how it isn't a form of lying. When you are telling someone you are someone that you aren't THAT IS LYING. When you are tricking them into giving you information by telling them you are someone else, that is MANIPULATION."
    - What would you do to retrieve information from it?.. MANIPULATION perhaps? I'm not argueing that it isn't a form of lying. I'm just saying that it's a good technique to know how to use and even if you don't plan on useing it, it will help you detect if some one is trying to use social engineering on you.

    "Social Engineering can be involved in hacking, however it IS NOT hacking."
    - Good point but that's argueable.

    "Social Engineering has absolutely NOTHING to do with computers."
    - I disagree to an extent. Why would they try to manipulate someone into giveing them their password or other critical information if they weren't going to use it with a COMPUTER?

    "You can pretend to be someone else without knowing how to turn a computer on."
    - You can but that dosent necesarily mean you should.

    "It seems like people have such a broad definition of the word hacker, that the ability to pretend to be someone else now seems to make you a hacker?"
    - I didn't say that pretending to be some one else or useing social engineering makes you a hacker. The term hacker IS a broad definition and there's been 1000s of defintions of the word.

    "What form of hacking is that?"
    - Social engineering

    "Self Identity Hacking?"
    - Impersination and manipulation. Take IP spoofing for example. It's not really hacking but it's a form there of. It's also a form of lying isn't it?.. since your not useing your real IP address.

    "And I guess all those people that assign anti-points and sign other people's names aren't lying, they are SOCIAL ENGINEERING."
    - Eh.. not really.

    "Its people like that, that give hackers a bad name."
    - There's lots of people that give hackers a bad name.

    "Please from now on if you don't agree with a post and are going to assign anti-points at least post a reply in the thread explaining your theory. Or maybe your theory won't hold water?"
    - Heh, perhaps my theory won't hold water or even amout to sh!t but I'm just posting a reply with my explination.

    Remote_Access_

  4. #4
    Junior Member
    Join Date
    Oct 2001
    Posts
    8
    I have to agree with both of you to a certain extent. In my humble opinion, and in my experience, Social Engineering is a part of hacking. It is not technical, it is lying, and it is manipulation - but still a part of hacking (or in my case intrusion testing).
    When I perform penetration tests, many times part of that test is social engineering efforts, and taking advantage of the natural human instinct to trust. This tests the "intagable" aspects of corporate and organizational security, such as policy and procedures.
    If I can gain access to your systems by performing a buffer overflow to a listening service, or simply call someone and get a password - I am still in your system, and your system has been compromised. The difference is what is the remedy to this compromise.
    In summary - Social Engineering, is hacking (in a holistic sense when viewing security not just through technology, but the whole life cycle) and it is lying / manipulating.
    Chuck \"Spence\" Fasching
    Information Security Architect
    CCSA, CCSE, GSEC

  5. #5
    Junior Member
    Join Date
    Jan 2002
    Posts
    21
    I still stick to my theory that social engineering is a fancy term for lying. And I still don't consider lying a form of hacking, it's a form of manipulation.
    .Its not lying man! Its charming or tricking people!

    Social engineering is the single most effective security penetration technique of all. You can put a computer inside a sealed room with 10 foot thick concrete walls, but if any employee who knows the login sequence is chatty, lonely, or otherwise pliable, 50 foot walls won't secure the system. Security is made up of a chain of connected elements : firewalls,passwords,shredders,alarm systems, secure rooms,etc...
    But the old adage applies: the security chain is only as strong as its weakest link. And all too often that weak link is a person.



  6. #6
    I can't remember who it was, but it was on AO irc or some where in the forums that said that the biggest vulnerability lies between the keyboard and the chair.

    Remote_Access_

  7. #7
    Senior Member
    Join Date
    Jul 2001
    Location
    USA
    Posts
    355

    Thumbs up

    You got that right
    \"SI JE PUIS\"

  8. #8
    Junior Member
    Join Date
    Jan 2002
    Posts
    28
    Originally posted by Remote_Access_
    I can't remember who it was, but it was on AO irc or some where in the forums that said that the biggest vulnerability lies between the keyboard and the chair.

    Remote_Access_
    Couldn't have put it better myself. You can spend thousands on securing a network from the outside when it's really what's on the inside that's the biggest threat. Companies need to spend more on security education rather than installing software firewalls....


    Anyway, good post, RA.
    \"It\'s not wise to argue with a fool...people might not be able to tell the difference!\"


  9. #9
    Noble Hamlet
    Guest
    There is no skill involved in social engineering, you could be a complete non-skilled cracker yet still penetrate a system using this age old con artist tricks of sorts.

    Thus making most attempts to secure networks, servers etc. pointless, you open yourself up to problems if you get the wrong type of employee, terrible factor for people to deal with.

  10. #10

    Mr. Hamlet...

    There is no skill involved in social engineering, huh? You're full of shiz-nit Mr. Hamlet. If there's no skill involved in social engineering then why do companies and major corporations do security audits with one of the methods being SOCIAL ENGINEERING.

    you could be a complete non-skilled cracker yet still penetrate a system using this age old con artist tricks of sorts.
    - Yes you can but I doubt that you have the capability of doing so..

    Thus making most attempts to secure networks, servers etc. pointless, you open yourself up to problems if you get the wrong type of employee, terrible factor for people to deal with.
    - If the attempts to secure netwerks, severs, etc. was pointless then why would you download the lates security patch for IE, *NIX, WIN, or any other OS or application? Well that's a no brainer:
    TO FIX THE PROBLEM!
    TO ELIMINATE THE VULNERABILITY!
    TO GET RID OF THE BUG!

    Yes, you do open yerself up to problems IF you hire the wrong type of employee.. Must of 'em get weeded out during this phase called "Process of Elimination".. What this enables the company/org./biz. to do is find the most qualified person(s) and then filter them out one by one by looking at your resume', your application, personal apperance, attitude, etc.
    You're a good example of that terrible factor for people to deal with..

    Remote_Access_

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •